Attention Vendors: Five Reasons to Start Your Path to HITRUST Certification Now


Attention Vendors: Five Reasons to Start Your Path to HITRUST Certification Now

Health care vendors and business associates that are required to protect health information should have heard the news by now: HITRUST CSF Assurance is the new standard for streamlining the third-party assurance process.

The move stems from HITRUST’s ongoing mission to address inefficiencies and inconsistencies in third-party assurance, an objective and journey that first began in 2007. Now, across the country, partner agreement language is quickly being changed to specify the requirement for the new assurance and certification program.

The new certification attempts to remedy the challenges both health care organizations and business associates face in monitoring and assuring security requirements. In essence, in introducing a standardized compliance process that’s confirmed by a qualified HITRUST assessor, the goal is to unify and simplify the assurances both sides need and can support.

Here are five big reasons now is the best time to start moving toward the new CSF program.

1. This is going to take a while. HITRUST CSF certification has been introduced on a two-year implementation schedule. That does not, however, mean business associates have this lengthy lead time to comply. It does mean that the full process could take a full 24 months to complete. In fact, many health care organizations are recommending their vendors perform a selfassessment within the next 12 months.

2. The framework has already been provided. As a business associate or vendor, you’ll be reassured to know that a comprehensive framework for your journey has been developed. The Common Security Framework (CSF) is a framework that was prudently developed in collaboration with health care and information security professionals. Because the steps have been rigorously outlined, you won’t have to guess your way through it or defer action because of uncertainty.

3. You decide how deep and wide to go. Yes, the CSF is comprehensive, but it’s also flexible. It provides options for thirdparty assurance and the types of reporting and lets you weigh the overall scope. Making those right decisions, however, requires attentiveness and time for careful consideration.

4. You don’t have to go it alone. Choosing an assessor at the outset is a valuable way to help your group identify the proper scope and address gaps. The right assessor can help you determine the best path for meeting your client relationship needs while fitting your circumstances in the most cost-effective way possible.

5. For maximum leverage. Becoming certified is an industry differentiator and can be a point of entry to new health care customers. It demonstrates your commitment to security and reduces the time and volume of customer security questionnaire requests you receive. The sooner you’re committed to the process, the greater the opportunities for continued success.

Wipfli is proud to be an approved and accredited HITRUST CSF Assessor. As a CPA firm with professionals who’ve served as former IT leaders in health care environments, we bring best practices to help organizations make their best decisions.


Paul Johnson
Paul J. Johnson, CISSP, CCSFP, CPA
View Profile